Marathon runners schedule their training and running schedules based on the dates of their races. Once the date is set, runners set and achieve race goals through planning and training. They mark key dates and milestones as the race date approaches to ensure success on race day.

Consider General Data Protection Regulation (GDPR) a marathon for your organization, and race day is 25 May 2018. This is not a sprint; you must be ready for these regulations to last for a long while. Below are some key dates and changes to understand the regulation’s evolution, and to enhance your organization’s readiness for GDPR.

GDPR was not created in a vacuum. Its roots stem from data protection efforts in the mid-1990s with the Data Protection Directive (1995), and protection efforts have grown to reflect the changes in how people interact with information technology. GDPR was adopted by the Council of the European Union (EU) in April 2016, and the May enforcement date comes after a two-year grace period.

GDPR impacts all organizations that do business or sell goods in the EU and collect, process, and store personal data of citizens of the EU. Here are some terms you should know—and be in compliance with:

Data Subject

A “natural person,” that is, an individual, from whom personal data can be collected.

Personal Data

Any information related to a person (a data subject), that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.


Performing any—and the GDPR means “any”—operation or set of operations on personal data, including: obtaining, recording, keeping, organizing, altering, retrieving, consulting, using, disclosing the data to a third party (including publication), erasing, and destroying the data.


Explicit permission from data subjects. Companies can no longer use long illegible terms and conditions. Instead, the request for consent must be given in intelligible and easily accessible forms. Further, consent must be distinguishable from other matters and provided in clear and plain language. It must equally easy to give consent and to withdraw it. Additionally, collecting information from data subjects who are under age 16 requires parental consent.
*Please note that GDPR allows for member states to set a lower age, but not below 13.

Data Controller

A controller is the person or entity that determines the purposes, conditions, and means of the processing of personal data.

Data Processor 

The processor is the entity or persons that actually work with and process personal data.

Data Protection Officer (DPO)

Organizations that regularly and systematically monitor data subjects on a large scale or process special categories of data or data relating to criminal convictions and offences must appoint a DPO, who has expert knowledge on data protection law and practices. A DPO may be a staff member or an external service provider. Additionally, a DPO’s job must not include any other tasks that could results in a conflict of interest.

Breach Notification

GDPR makes breach notifications mandatory when a data breach is likely to “result in a risk for the rights and freedoms of individuals.” A breach must be reported to the local data protection authority within 72 hours of discovery and to affected individuals “without undue delay.”

Right to Access

Individuals (data subjects) must be able to obtain confirmation of whether their personal data is processed, for what purpose, and where it’s stored. Controllers must provide a copy of the personal data, free of charge, in an electronic format.

Right to be Forgotten (or Data Erasure)

Any data subject can require a data controller to erase his/her personal data, cease data dissemination, and potentially halt third-party data-processing. This right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.

Data Portability 

Data subjects can ask for and receive their personal data, and they have can transmit that data to another controller.

Privacy by Design

“Privacy by design” requires security features to be included in system design, not added later (“baked in,” not “bolted on”). While this concept has existed for years, GDPR elevates it to a legal requirement.


Organizations in breach of GDPR can incur maximum fines up to 4% of annual global turnover or €20 Million (whichever is greater). These rules apply to both controllers and processors — meaning clouds will not be exempt from GDPR enforcement.

Just as marathon training is best accomplished with help from a successful trainer, getting ready for GDPR compliance should be facilitated by those who understand it. If you need assistance with understanding the requirements for protecting the rights of data subjects (Chapter 3 of GDPR), let FileFacets help teach your staff and meet the requirements. To learn more about FileFacets and GDPR, please visit